| Commit message (Collapse) | Author | Age | Files |
... | |
| |
|
| |
|
| |
|
|
|
|
|
|
| |
As db.local.clamav.net is not always properly localized. Furthermore,
our previous Ansiblee script did not ensure ordering of the
DatabaseMirror lines.
|
|
|
|
|
|
|
|
|
| |
Clients now have to use the NAMESPACE extension [RFC 2342] to discover
mailboxes under the “virtual/” namespace. (Plus an extra LIST command,
causing an overhead two roundtrips.) Of course the downside is that non
namespace-aware clients lose access to the “virtual/{all,flagged,…}”
mailboxes, but on second thought it's probably better this way rather
than having such clients treat these mailboxes as regular mailboxes.
|
|
|
|
|
| |
We don't want to use the default instance since its SIZE limit is
tighter than the ones on the MX:es.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
To avoid new commits upon cert renewal.
|
| |
|
|
|
|
| |
The CGI wants to create a temp file during bulk subcription.
|
| |
|
|
|
|
|
| |
We should use IPSec instead, but doing so would force us to weaken
slapd.conf's ‘security’ setting.
|
|
|
|
|
| |
In order to avoid ‘double-bounce@’ ending up on spammer mailing lists.
See http://www.postfix.org/ADDRESS_VERIFICATION_README.html .
|
|
|
|
|
|
|
|
|
| |
Dovecot imapc requires two authentication rounds to the IMAP backend for
each connection. It seems suboptimal that Roundcube keeps connecting to
the IMAP server for each new connection, but benchmarks shows little
advantage in caching the IMAP sessions with imapproxy:
http://www.dovecot.org/list/dovecot/2012-February/133544.html
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
There is no need to bother with X.509 cruft here.
|
| |
|
|
|
|
|
|
| |
Which was incorrectly removed at commit
8cf4032ecec5b9f58d829e89f231179170432539
|
| |
|
|
|
|
|
| |
Since many bug have been fixed since 2.2.13, and we really want
passthrough search on the caching proxy.
|
| |
|
|
|
|
| |
/var/lib/imapproxy.
|
|
|
|
|
|
| |
(On port 143.) Moreover, add the whole IPSec virtual subnet to
‘login_trusted_networks’ since our IPSec tunnels provide end-to-end
encryption and we therefore don't need the extra SSL/TLS protection.
|
| |
|
|
|
|
| |
The comment regarding stunnel4 seems to not be relevant any longer.
|
|
|
|
|
| |
We're now using the Let's Encrypt CA for our public internet-facing
services.
|
| |
|
| |
|
|
|
|
|
| |
Using https://raw.githubusercontent.com/sciunto-org/ikiwiki-pandoc/master/pandoc.pm
at revision 60fd07b46c750e0891e3474f75e26076348b66c5
|
|
|
|
| |
parameters.
|
| |
|
|
|
|
| |
By allowing to place graphs into /var/lib/munin/cgi-tmp/munin-cgi-graph.
|
| |
|
|
|
|
|
|
|
| |
More precisely, between our NTP-master (stratum 1) host and the other
machines (all stratum 2). Providing authentification and integrity for
internal NTP traffic ensures a consistent time within our internal
infrastructure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.
Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).
The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.
|
| |
|
|
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11
http://article.gmane.org/gmane.mail.postfix.user/251935
|
|
|
|
|
|
|
|
|
|
| |
Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.
https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
But we postpone that for now until we are reasonably certain that older
client won't be left out.
|
|
|
|
| |
That is, on the MSA and in our local infrastructure.
|
|
|
|
|
|
| |
locally.
And use this to fetch all X.509 leaf certificates.
|